diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml
index 97d1bcdc451802fe1c03449145c0a915e8f3d8b7..d42b2ffed23e2785e6150ccf0ab2a2fc47ca00fd 100644
--- a/roles/kubernetes-apps/ansible/defaults/main.yml
+++ b/roles/kubernetes-apps/ansible/defaults/main.yml
@@ -41,7 +41,7 @@ netchecker_server_memory_requests: 64M
 etcd_cert_dir: "/etc/ssl/etcd/ssl"
 canal_cert_dir: "/etc/canal/certs"
 
-kubedns_rbac_resources:
+rbac_resources:
+  - sa
   - clusterrole
   - clusterrolebinding
-  - sa
diff --git a/roles/kubernetes-apps/ansible/tasks/main.yml b/roles/kubernetes-apps/ansible/tasks/main.yml
index b76ec5b07c46a1d9838a5852a63f2932c07a17dc..e7bd934de3e489afb0a20a843e584856de24c53b 100644
--- a/roles/kubernetes-apps/ansible/tasks/main.yml
+++ b/roles/kubernetes-apps/ansible/tasks/main.yml
@@ -23,7 +23,7 @@
   register: manifests
   when:
     - dns_mode != 'none' and inventory_hostname == groups['kube-master'][0]
-    - rbac_enabled or item.type not in kubedns_rbac_resources
+    - rbac_enabled or item.type not in rbac_resources
   tags: dnsmasq
 
 # see https://github.com/kubernetes/kubernetes/issues/45084, only needed for "old" kube-dns
diff --git a/roles/kubernetes-apps/ansible/tasks/netchecker.yml b/roles/kubernetes-apps/ansible/tasks/netchecker.yml
index aae75d0914fff2dd2ab19fd00769a78cb07dafa7..d4bfb7a4f3cb201b2a6b1b77d2f4eff1139a537c 100644
--- a/roles/kubernetes-apps/ansible/tasks/netchecker.yml
+++ b/roles/kubernetes-apps/ansible/tasks/netchecker.yml
@@ -5,10 +5,15 @@
   with_items:
     - {file: netchecker-agent-ds.yml.j2, type: ds, name: netchecker-agent}
     - {file: netchecker-agent-hostnet-ds.yml.j2, type: ds, name: netchecker-agent-hostnet}
+    - {file: netchecker-server-sa.yml.j2, type: sa, name: netchecker-server}
+    - {file: netchecker-server-clusterrole.yml.j2, type: clusterrole, name: netchecker-server}
+    - {file: netchecker-server-clusterrolebinding.yml.j2, type: clusterrolebinding, name: netchecker-server}
     - {file: netchecker-server-deployment.yml.j2, type: po, name: netchecker-server}
     - {file: netchecker-server-svc.yml.j2, type: svc, name: netchecker-service}
   register: manifests
-  when: inventory_hostname == groups['kube-master'][0]
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+    - rbac_enabled or item.type not in rbac_resources
 
 #FIXME: remove if kubernetes/features#124 is implemented
 - name: Kubernetes Apps | Purge old Netchecker daemonsets
@@ -31,4 +36,5 @@
     filename: "{{kube_config_dir}}/{{item.item.file}}"
     state: "{{item.changed | ternary('latest','present') }}"
   with_items: "{{ manifests.results }}"
+  failed_when: manifests|failed and "Error from server (AlreadyExists)" not in manifests.msg
   when: inventory_hostname == groups['kube-master'][0]
diff --git a/roles/kubernetes-apps/ansible/templates/netchecker-server-clusterrole.yml.j2 b/roles/kubernetes-apps/ansible/templates/netchecker-server-clusterrole.yml.j2
new file mode 100644
index 0000000000000000000000000000000000000000..7a8c1d2731d6c4583745dd7ca5847e914930843e
--- /dev/null
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-server-clusterrole.yml.j2
@@ -0,0 +1,9 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: netchecker-server
+  namespace: {{ netcheck_namespace }}
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["list"]
diff --git a/roles/kubernetes-apps/ansible/templates/netchecker-server-clusterrolebinding.yml.j2 b/roles/kubernetes-apps/ansible/templates/netchecker-server-clusterrolebinding.yml.j2
new file mode 100644
index 0000000000000000000000000000000000000000..54c1eaf942a5a6f4adc3af5bce8bdadbc189cccc
--- /dev/null
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-server-clusterrolebinding.yml.j2
@@ -0,0 +1,13 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: netchecker-server
+  namespace: {{ netcheck_namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: netchecker-server
+    namespace: {{ netcheck_namespace }}
+roleRef:
+  kind: ClusterRole
+  name: netchecker-server
+  apiGroup: rbac.authorization.k8s.io
diff --git a/roles/kubernetes-apps/ansible/templates/netchecker-server-deployment.yml.j2 b/roles/kubernetes-apps/ansible/templates/netchecker-server-deployment.yml.j2
index 6c52352fb5523199c0212cec447851a890967ced..c3dbf3cb589577405f592cd443479797c704d463 100644
--- a/roles/kubernetes-apps/ansible/templates/netchecker-server-deployment.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-server-deployment.yml.j2
@@ -31,3 +31,6 @@ spec:
             - "-logtostderr"
             - "-kubeproxyinit"
             - "-endpoint=0.0.0.0:8081"
+{% if rbac_enabled %}
+      serviceAccountName: netchecker-server
+{% endif %}
diff --git a/roles/kubernetes-apps/ansible/templates/netchecker-server-sa.yml.j2 b/roles/kubernetes-apps/ansible/templates/netchecker-server-sa.yml.j2
new file mode 100644
index 0000000000000000000000000000000000000000..26d15f3a860c3cebef3c6b321818dae073cbb8d3
--- /dev/null
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-server-sa.yml.j2
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: netchecker-server
+  namespace: {{ netcheck_namespace }}
+  labels:
+    kubernetes.io/cluster-service: "true"